Solved

Firewall & ICQ

Posted on 1998-04-07
4
442 Views
Last Modified: 2013-12-23
Bastion host: FreeBSD & firewall(ipfw)
Q: How describe ICQ-ports in ipfw config for internet (w/external world) chat without ICQ server on bastion)
0
Comment
Question by:korzadze
  • 2
4 Comments
 
LVL 1

Expert Comment

by:mzito
ID: 1583235
On the client side, in ICQ, go into the Connections tab in the Preferences folder and select "Permanent LAN" and "I'm behind a proxy server/firewall." Then click on "Firewall Settings" and set ICQ to use a range of tcp ports (you set them, but it should be no fewer than 11 ports, like 3600 to 3610). Finally, reconnect to the ICQ network to apply the new settings.

Then, using ipfw, poke a hole in the firewall for that given range of tcp ports.  I haven't used ipfw in a while, so I can't remember the exact syntax, but check the man pages for the forwarding syntax.

One more thing: you have to set up each client with a separate range of tcp ports  (i.e. Client #1 has ports 3600-3615, client #2 has ports 3616-3631, etc.). Then just poke the hole in the firewall for the whole range of ports.  Hope this answers your question.

Best Wishes,
Matthew Zito
0
 

Author Comment

by:korzadze
ID: 1583236
Sorry, but i don't know how describe establish connect for ICQ in terms ipwf, ie. establish, setup ... and protocols TCP, UDP or so. (novice in deal with Unix :-( )

From man on ipfw:
         established       Matches packets that have the RST or ACK bits set.
                                    TCP packets only.
         setup                 Matches packets that have the SYN bit set but no
                                    ACK bit.  TCP packets only.
0
 
LVL 1

Accepted Solution

by:
mzito earned 100 total points
ID: 1583237
Oh, okay.  That's easy enough.  The simplest solution to your question is to not specify established or setup connections.  Here's the command line for what you're looking for  (I dragged out my old FreeBSD handbook):

       ipfw add allow ip from any to AAA.BBB.CCC.0/24 DDDD-EEEE
 
Where AAA.BBB.CCC.0/24 is your class C network
DDDD is the start port that you put into ICQ
EEEE is the final port you put into ICQ
The DDDD-EEEE port range should ideally be for all clients. (i.e. in the aforementioned example if Client #1 has 3000-3020, client #2 has 3021-3040, and client #3 has  3041-3060, your DDDD-EEEE would be 3000-3060.) That way, it's only one rule set  your kernel has to match against. The other w ay would be to add an entry for each client.  That syntax would be as follows:

ipfwadm add allow ip from any to AAA.BBB.CCC.FFF/32 DDDD-EEEE
In this case, AAA.BBB.CCC.FFF is a single ip address, which is why it is suffixed with /32.  I would reccommend a single rule, though, matching all clients.  That way, the kernel will only match the one rule instead of one rule for each client.  Hope this answered your question more thoroughly
0
 

Expert Comment

by:mseiden
ID: 1583238
icq has both a proprietary protocol and proprietary code you
run on your desktop.  that protocol can be manipulated to install a back door on your machine.  for one example, see http://members.tripod.com/~hakz/ICQ/index.html, which claims
one such back door has been written capable of executing arbitrary commands on your desktop machine.

there have been a number of data-driven attacks on icq posted to various bug reporting lists.  i recommend to my clients that
icq not be allowed through firewalls until the protocol is
published and proxies are written that can handle it.
0

Featured Post

Scale it in WD Gold

With up to ten times the workload capacity of desktop drives, WD Gold hard drives employ advanced technology to deliver among the best in reliability, capacity, power efficiency and performance.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
For many of us, the  holiday season kindles the natural urge to give back to our friends, family members and communities. While it's easy for friends to notice the impact of such deeds, understanding the contributions of businesses and enterprises i…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now